We have SCCM 2012 R2 (with CU3 applied) running in our production domain with a single SCCM site. It is used to deploy MS patches, Applications and Windows 7 OS. It can deploy to our PROD domain and three other domains in different forests. One is a trusted domain and the other two are untrusted test domains (no firewalls present). All are working fine.

We now wish to deploy only MS Patches into another untrusted firewalled domain in a DMZ but can't make the DMZ clients see the DMZ SUP/WSUS server.

DMZ contains about 40 servers, there are no external "Internet clients"'  In an effort to reduce the number of clients communicating through the firewall, we installed a new site server in the DMZ which is a member of the DMZ domain.  Created Boundary Groups.  We opened the required firewall ports between PROD and DMZ SCCM servers.  The DMZ domain was discovered ok and we can publish to the DMZ SMS AD container.  The following roles were installed on the DMZ SCCM server:

• Component Server
• Site System
• Distribution Point
• Management Point
• Fallback Status Point
• Software Update Point (and WSUS)

I manually installed the SCCM clients on the DMZ servers.  DMZ servers appear in the correct Device Collections.  However, looking at the LocationServices, WUAHandler and WindowsUpdate logs, all of the servers are trying to contact the WSUS or Catalogue server in Production which is not allowed by the firewall.

Is there any way to force the DMZ servers to use the local DMZ SUP/WSUS server?  Is this even possible?  Can I have two SUP's in a single site, where one of the SUPS is actually a member of an untrusted/firewalled forest?

Thanks in advance for any suggestions.



Yes it`s supported to have multiple SUP point in a single site. Normally this is use for HA purpose because it`s not possible to assign a SUP to a specific client. The way this work the client will go for a random SUP point and if this point respond the client will keep that one forever or until it no longer work. When it doesn't respond after 30 min of trying the client will go for the next one and so on until it find a SUP that answer.

What you did block the traffic to the SUP from the DMZ  and only leave open the traffic from the client int he DMZ to the SUP in the DMZ is the only way you could make this append as of now.It`s not sexy and might not be support but as of right now it`s the only way to prevent client to point to the wrong one.

If the fall back to the other SUP doesn't work because it`s not really a SUP failure but more of a communication issue. look at the following to make it work:

http://blogs.technet.com/b/umairkhan/archive/2014/10/03/configmgr-2012-r2-multiple-sup-scenario-clients-not-failing-over-to-the-other-sup.aspx

• Edited by Frederick Dicaire 19 hours 45 minutes ago Typo

Yes it`s not supported to have multiple SUP point in a single site. 

Yes it`s not supported to have multiple SUP point in a single site. 

That is not t

Yes it`s supported to have multiple SUP point in a single site. Normally this is use for HA purpose because it`s not possible to assign a SUP to a specific client. The way this work the client will go for a random SUP point and if this point respond the client will keep that one forever or until it no longer work. When it doesn't respond after 30 min of trying the client will go for the next one and so on until it find a SUP that answer.

What you did block the traffic to the SUP from the DMZ  and only leave open the traffic from the client int he DMZ to the SUP in the DMZ is the only way you could make this append as of now.It`s not sexy and might not be support but as of right now it`s the only way to prevent client to point to the wrong one.

If the fall back to the other SUP doesn't work because it`s not really a SUP failure but more of a communication issue. look at the following to make it work:

http://blogs.technet.com/b/umairkhan/archive/2014/10/03/configmgr-2012-r2-multiple-sup-scenario-clients-not-failing-over-to-the-other-sup.aspx

• Edited by Frederick Dicaire Thursday, July 30, 2015 12:06 PM Typo

Hi Frederick,

Thanks for your reply.  I stepped through the TechNet article you quoted.  I am seeing error 0x80072ee2 in the WUAHandler and WindowsUpdate logs on the DMZ client.  So I added the error code using wbemtest utility on the Prod SCCM server and checked that it appeared on the DMZ client (restarted the SMS server just to be sure).  Then left the system overnight and checked it this morning, but I am still getting the same error.

The DMZ client has no access to the PROD DMZ server due to firewall rules, so it should only ever find the SUP in the DMZ.  Looking at the log I see the client tries to hit the following web sites on the PROD server:

http://SCCMPROD1.domain.local:8530/SimpleAuthWebService/SimpleAuth.asmx and /ClientWebService/Client.asmx  

Does this mean I also need to install the Application Catalog Web Service Point and the Application Catalog website point rols on the DMZ Site System?  Either way, I don't see the DMZ client even attempting to hit any server other than the Production server which is specifically blocked by the firewall.

Regards,

http://SCCMPROD1.domain.local:8530/SimpleAuthWebService/SimpleAuth.asmx and /ClientWebService/Client.asmx  

Does this mean I also need to install the Application Catalog Web Service Point and the Application Catalog website point rols on the DMZ Site System?

Did you restart the client agent on the client in the DMZ?

There is not real supported way to force the SUP to switch unfortunately. You could try creating a dummy DNS (or hosts file) record to point the name of the production SUP to something bogus. This should cause a different error message to be generated and may cause the client to switch SUPs.

The was a blog post up a few months back describing how to change the SUP directly in WMI but sadly, the blog doesn't exist anymore so I don't have that info handy and it's not in the Internet Archive either. It was of course unsupported, but it appeared to work.